California Consumer Privacy Act of 2018 and Implications for IT Systems

By Mohammad Raza Rizvi

Today, customer’s personal information (PI) is used by businesses to provide differentiated services. Businesses use personal information in day-to-day operations to deliver the services expected by the customer too. Some companies’ business model depends entirely on quality, quantity and variety of consumer data (e.g. Raddit and Quora which provide free service and generate revenue by targeted ads; or Spotify which lets consumers benefits of free listening in exchange for ads that uses targeted ads).

For marketing purposes, to avoid consumers being bombarded with tons of marketing messages, and also to improve the marketing success rates, businesses use enriched customer information to target them with contextualized and appropriate offers across industries - Telecom, Retail, Finance, Insurance, Consumer products and so on.

California Consumer Privacy Act of 2018 in its current form will impact the organization processes, business model, and may even threaten the very existence of some.

What is California Consumer Privacy Act of 2018

California legislature passed a new data privacy bill - California Consumer Privacy Act of 2018 (AB 375) that deals with how businesses use an individual's personal information and any information drawn from it. It is by far the toughest privacy law in US.

Beginning January 1, 2020, the bill would grant a consumer “a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The bill would require a business to provide this information in response to a verifiable consumer request. The bill would authorize a consumer to opt out of the sale of personal information by a business."

Which businesses does the AB 375 affect?

Any business that operates in California and stores or processes personal information about California residents must comply with AB 375. Specific criteria for companies required to comply are:

• Every business that operates in California which has $25MM revenue, or
• Any business which sells or receives personal information of more than 50,000 consumers per year, or
• Any business that derives more than 50% of its revenue by selling consumer’s personal information

Definition of Personal Information (PI)

The definition of personal information in AB 375 is more comprehensive than Europe’s GDPR². Personal information means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

What does this privacy act mean for businesses?

AB 375 has taken a wide view of what constitutes as personal information and puts restrictions. For example – A business will have to treat internet activity and IP address same as they treat SSN. Today data is consumed and it leaves a company in all kind of ways. Businesses will have to document and maintain PI tracking. Business and IT leaders must understand how and why consumer information is possessed and processed by themselves; and who else has access to it and why. Business has to track three “Ws” of data – “What do you collect about the consumer”, “Why do you collect this data” and “Whom do you share it with”.

Any business that sells consumers’ personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt out of the sale of their personal information. A third party shall not sell personal information about a consumer which it has acquired from another business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

Once an individual’s information has been collected for a particular purpose, the information can’t be used for any other purpose without informing the individual. Companies that use consumer information for providing differentiated or targeted services, will have to rewrite the rules how ads are targeted, or in worst case, have to relook at their business model. While the companies still have chance to amend the bill provisions before it comes into effect in 2020, it is imperative to understand bill’s implications and plan for it nevertheless.

What it means for consumers

Consumers may request to know what information business has about them, how that is used, and to whom that has been sold. Consumers can opt out of the sale of their personal information. Consumers may request deletion of their personal information.

A business will have to delete consumer information and also direct service providers to delete too unless it can’t be deleted due to an exception below.

• Complete the transaction for which information was collected.
• Provide a good or service requested by the consumer.
• Required to maintain ongoing relationship with the consumer.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
• Debug to identify and repair errors that impair existing intended functionality.
• Comply with law and regal requirements.

What it means for IT systems

Impact will vary between the verticals and it will also depend on what business model a business follows, and underlying technology architecture. A business has to track each consumer's data and must refer to the choices he made prior to selling the information. The real difficulty will be in tracking the data within various departments/with other businesses and feed this information back to a central system (e.g. CRM). The more data a business collects about a consumer, the more IT systems will have to have ability to track and comply. Businesses will have to review how consumer data flows throughout the organization and make adjustments in people, processes and technology areas to comply with the regulation.

Since each organization has unique technology architecture, list of impacted systems will vary. But at the very minimum, following systems will have impacts.

• Customer Relationship Management (or individual Marketing, Sales, Service, Loyalty Management systems)
• Systems that are used in customer communications (e.g. email marketing systems)
• System(s) of records
• Data Warehouse
• Backup and Data Archival system(s)
• MDM system
• Business Process Management system
• Any other System(s) that stores personal information

Companies will have two choices for their IT - either apply a patch for different ("more restrictive") privacy rules for California residents based on their address or change their systems in general for all their consumers. Former approach has a potential of backlash should a privacy breach that impacts non-Californian consumers. With data privacy becoming a grave concern due to data breaches and misuse, other states may follow suit. Therefore, solution focused on one state may be short-lived. 

Typically, Customer Relationship Management (CRM) system is considered to the central repository of consumer information. If consumer information is scattered in multiple systems, then, each system will have to be compliant separately. All the systems of record of personal information will have to be extended to keep an audit log of how this information is/was used and with which third parties the data was shared, and what was the intended purpose. Tracking three Ws, opt out, and deletion will have to be processed in as many systems. Due to this reason, such organizations should do a thorough assessment whether an architecture re-design to maintain all the consumer personal information in a single system will be a better approach. 

To comply with the act, new capabilities and business processes will have to be developed.

Information of minor consumer

If the consumer is minor, then, develop business rules that prohibit sales of consumer information if explicit consent from him/her has not been received. 

Deliver PI to the consumer

Upon receiving a verified request, business will have to share consumer’s information with him/her by mail or electronically within 45 days. If information is electronically shared, it should be in portable data format that can be used by another entity without hindrance. Data should cover the 12-month period preceding the receipt of request. IT systems will have to implement new processes, modify systems and create capability to generate personal information data file in electronic format (e.g. csv file or report in electronic format) and/or in a format that can be sent by mail (e.g. printout of a report by mail). It is implicitly expected that data will be appropriately masked and should follow the standard security practices of treating confidential personal data.

Delete consumer’s personal information

Deletion request will have to be recorded and verified in the request system (e.g. CRM). Afterwards, it has to flow to all the systems where such personal information is maintained. A handshake mechanism will have to be developed so that roll up happens and request system is updated accordingly. Any exceptions should also roll-up for audit purposes. If personal information was sold to third parties, then, request has to flow to them as well.

Opt-out request

Business will have to record the consumer’s opt-out request and develop systems, processes that evaluate consumer choice prior to sharing any consumer information with third parties.

Businesses should seriously consider creating chief data officer (CDO) role if not existing already. CDO role should be the leading authority on monetizing data and additionally oversee AB 375 compliance within the organization. This has to be a single authority so as to understand how to monetize consumer data while being compliant with the regulations.

Businesses should start planning for its implementation now. It presents both challenges and opportunities for business as well as system integrators. It will require resources just like any other IT program. System integrators and consulting companies who are the trusted partners can start the conversation and help deliver this change.

In a nutshell, businesses will have to review how consumer data flows throughout the organization and make adjustments in people, processes and technology areas to comply with the regulation. Businesses will also have to build internal audit processes and new roles to oversee compliance. Technology is only one piece of the puzzle.

( The author is is currently based out of Dallas. He has been in technology domain for more than 16 years and helps customers succeed in their IT Transformation and Implementations programs)